Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

New research sponsored by the AMA and consulting firm Accenture has concluded that cyberattacks on medical practices are common – in fact, far more common than one might think.

Not only do these numbers suggest patient data is far more vulnerable than expected, it suggests that clinicians are often poorly educated about security and the implications of handling it badly. It’s fair to say that unless this trend is turned around, it could undermine industry efforts to build trusting relationships with patients and encourage them to engage in two-way data exchange.

The study found that most physicians (85%) think that sharing electronic protected health information is a good idea and that two-thirds believe that giving patients more access to their health data would improve care. One-third of respondents said that they share ePHI if they trust the vendors involved.

Thirty-seven percent get training content on security from their health IT vendor, and 50% said they trust these training providers are sure the content is adequate. However, this may be a mistake. While 87% of respondents said that their practice is HIPAA-compliant, the study also found that two-thirds of doctors still have basic questions about HIPAA. It’s clear, in other words, that trusted relationships aren’t doing the job here.

In fact, an eye-popping 83% of medical practices have experienced some form of cyberattack such as malware, phishing or viruses. Not surprisingly, 55% of physicians surveyed are very worried about future cyberattacks. Unfortunately, worrying is what many people do instead of taking action, and that may be what’s going on here.

What makes these lax attitudes all the more problematic is that when attacks occur, the effect can be very substantial. For example, 74% of respondents said that a cyberattack was likely to interrupt their clinical practice, and 29% of doctors working in medium-sized practices said that it could take up to a full day to recover from an attack, a crippling length of time for any small business.

So what are practices willing to do to avoid these problems? Among these respondents, 60% said they would pay someone to create a security framework to protect ePHI. Also, 49% of practices surveyed have in-house security staffers on board. However, it should be noted that three times more medium and large practices have such an officer in place compared to smaller medical groups, probably because security expertise is very pricey.

However, probably the most valuable thing they can do is the least expensive of the list. Every practice should require that physicians stay current at least on HIPAA and cybersecurity basics. If medical groups do this, at least they’ve established a baseline from which they can work on other security issues.

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of FierceHealthcare.com and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

I can’t believe I missed this. Apparently, financial giant USAA announced earlier this year that it’s collecting health data from life insurance applicants by interfacing with patient portals. While it may not be the first life insurer to do so, I haven’t been able to find any others, which makes this pretty interesting.

Usually, when someone applies for life insurance, they have to produce medical records which support their application. (We wouldn’t want someone to buy a policy and pop off the next day, would we?) In the past, applicants have had to push their providers to send medical records to the insurer. As anyone who’s tried to get health records for themselves knows, getting this done can be challenging and is likely to slow down policy approvals.

Thanks to USAA’s new technology implementation, however, the process is much simpler. The new offering, which is available to applicants at the Department of Veterans Affairs and Department of Defense, allows consumers to deliver their health data directly to the insurer via their patient portal.

To make this possible, USAA worked with Cerner on EHR retrieval technology. The technology, known as HealtheHistory, supports health data collection, encrypts data transmission and limits access to EHR data to approved persons. No word yet as to whether Cerner has struck similar deals elsewhere but it wouldn’t surprise me.

USAA’s new EHR-based approach has paid off nicely. The life insurer has seen an average 30-day reduction in the time it takes to acquire health records for applicants, and though it doesn’t say what the average was back in the days of paper records, I assume that this is a big improvement.

And now on to the less attractive aspects of this deal. I don’t know about you, but I see a couple of red flags here.

First, while life insurers may know how to capture health data, I doubt they’re cognizant of HIPAA nuances. Even if they hire a truckload of HIPAA experts, they don’t have much context for maintaining HIPAA compliance. What’s more, they rarely if ever have to look a patient in the face, which serves as something of a natural deterrent to provider data carelessness.

Also, given the industry’s track record, is it really a good idea to give a life insurer that much data? For example, consider the case of a healthy 36-year-old woman with no current medical issues who was denied coverage because she had the BRCA 1 gene. That gene, as some readers may know, is associated with an increased risk of breast and ovarian cancer.

The life insurer apparently found out about the woman’s makeup as part of the application process, which included queries about genetic information. Apparently, the woman had had such testing, and as a result had to disclose it or risk being accused of fraud.

While the insurer in question may have the right, legally, to make such decisions, their doing so falls into a gray area ethically. What’s more, things would get foggier if, say, it decided to share such information with a sister health insurance division. Doing so may not be legal but I can easily see it happening.

Should someone’s genes be used to exclude them life or health insurance? Bar them from being approved for a mortgage from another sister company? Can insurers be trusted to meet HIPAA standards for use of PHI? It’ll be important to address such questions before we throw our weight behind open health data sharing with companies like USAA.

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I was browsing some old notes I’d taken to interesting resources and ideas. I came across some videos that ONC had created around the rights of patients when it comes to accessing health information.

Here’s a look at the first video:

The video is 3 minutes long and the information could have been shared in 30 seconds, but some of the points it shares are really good. For example, that it’s your right to be able to access your health information. Also, they make the point that you still have the right to get access to your health information even if you haven’t paid your bill.

It’s always amazing to me how many misconceptions there are out there when it comes to access to health information. We see HIPAA and other rules used as a reason to not provide patients their health information a lot and it’s often wrong.

The great thing is that over the 11 years I’ve been blogging, we’ve seen a real sea change in people’s perspectives on how and when you should have access to your patient record. That said, we still have a ways to go. Technology should make that record available to you whenever and wherever you want in near real time fashion. We see that in some organizations, but not enough.

These videos will never go viral, but they are a good information source for those patients who aren’t sure about their rights when it comes to access to their health information.

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

ONC and OCR recently released a number of videos that outline patients’ rights. Here’s one called “Individual’s Rights under HIPAA to Access their Health Information”:

What do you think of these videos? Will they effectively educate patients?

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

There are so many types of mHealth apps and devices out there, it was inevitable that someone would try to have them work together. At TEDMED 2013, Shiv Gaglani and a team of physicians-to-be will be presenting the “smartphone physical.” Are these types of visits closer to becoming a reality than we may have realized?

One of the amazing technologies that have been developed is a smartphone that measures vitals — maybe this will be used in smartphone physicals someday! The Fujitsu Smartphone analyzes subtle changes in blood flow and determines vital signs, all by the user taking their photo with the phone’s camera. It goes to show that you don’t necessarily need fancy equipment to have incredible mHealth technology.

While some are concerned about the safety of email and texting for healthcare communication, it’s becoming a way of the future. Companies such as Physia and docBEAT are working specifically to make email and texts more secure. So which one is better? Both have their pros and cons – texting is quick and to the point, while email can take more time. Which would you rather receive?

With the current budget proposal by President Obama, EMR vendors might be impacted significantly. The ONC is suggesting that health IT vendors pay up to $1 million in fees. With the upcoming expiration of the ONC’s $2 billion appropriation from ARRA, the agency is needing some new funds. It also would help maintain ONC’s Certified Health IT Product List. Of course, vendors will not be happy to hear this news.

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

I recently was talking with a doctor who told me about a healthcare communications company called YouCall MD. The doctor liked many of the features that YouCall MD provided. He loved that they would answer your Live Calls, transcribe a message to you and send you that message by SMS. Well, he loved all of it except the part that YouCallMD was using insecure SMS messages to send protected health information (PHI).

I wrote about this before in my post called “Texting is Not HIPAA Secure.” I know that many doctors sit on all sides of this. I heard one doctor tell me, “They’re not going to throw us all in jail.” Other doctors won’t use SMS at all because of the HIPAA violations.

While a doctor probably won’t get thrown in jail for sending PHI over SMS, they could get large fines. I think this is an even greater risk when sending PHI over SMS becomes institutionalized through a service like YouCallMD. This isn’t a risk I’d want to take if I were a doctor.

Plus, the thing that baffles me is that there are a lot of secure text message services out there. Using these services would accomplish the same thing for the doctor and YouCall MD and they wouldn’t put a doctor or institution at risk for violating HIPAA. Soon the day will come when doctors can send SMS like messages on their phones in a secure way and they won’t have to worry about it. I just think it’s a big mistake for them to be using their phone’s default SMS.

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

With the increased use of smart phone and tablets by doctors, BYOD (bring your own device) is on the rise. With it comes the risk of almost inevitable risk of HIPAA violations. There needs to be some serious talk of protocols for BYOD, as the trend is here to stay. Can BYOD and HIPAA Compliance coexist? Weigh-in here.

Skype use among medical professionals isn’t high, but enough do that proper attention should be paid toward making sure these phone calls are HIPAA-compliant. There are quite a few risks associated with Skype-calling, and this post discusses why providers should be concerned, and poses some ideas on how to lessen these risks.

CIO Janakan Rajgendran from GNAX Health guest posted at EMR and HIPAA this week. He discussed some of the highlights from RSNA 2012. The theme of the conference was ‘Patients First,’ which was reflected in a lot of the addresses from the conference. This post focuses on several different highlights, such as dosage tracking, image parts of HIE, and RSNA conversation changes.

HIEs have grown significantly in the past year and continue to do so. Because of this, it appears that they are becoming the “backbone” for reform efforts. HIEs are also playing a big role in health reform-related efforts such as with ACO and Patient-Centered Medical Homes.

There are lots of apps that have been created to help people be prepared in case of an emergency. Here are five that seem to stand out, from first aid tips to emergency information cards. Check out this list and see if you can benefit from any of them.

Katie Clark is originally from Colorado and currently lives in Utah with her husband and son. She writes primarily for Smart Phone Health Care, but contributes to several Health Care Scene blogs, including EMR Thoughts, EMR and EHR, and EMR and HIPAA. She enjoys learning about Health IT and mHealth, and finding ways to improve her own health along the way.

While not everyone can make it to the NYeC 2012 Digital Health Conference, John is making sure everyone can enjoy parts of the conference from home. Dr. David J. Brailer, former National Coordinator for Health Information Technology and current Chairman of Health Evolution Partners, is a keynote speaker at this week’s conference, and spoke today on HIT.

Throughout the presentation, John live tweeted some highlights, as well as his own thoughts. Here are some of his tweets — if you want to see more, be sure to follow @EHRandHIT on Twitter.

Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC in 2009. He can be contacted at doctorwestindc@gmail.com.

Today’s post begins a series inspired by my recent participation in a breakfast panel in Washington, DC, Doctors and Patients Bridging the Digital Divide. There were a lot of useful ideas discussed during this panel, and so I decided to capture and share some with you.

One of the biggest holes in electronic medical records currently seems to be a lack of secure messaging systems built into the software. Although maybe not universally true, this still represents a huge problem that also represents a great opportunity for gains in technology that will enhance the doctor-patient relationship and move digital healthcare forward into the future.

Currently, my electronic medical record vendor does not supply this feature as part of its software package. However, as part of the Meaningful Use Stage 2 requirements by the federal government, the use of a certified EMR system that supports this function will be required. A HIPAA-compliant secure messaging system will be needed as a part of every electronic medical record going forward.

Currently, if I wanted to use secure messaging to communicate with my patients, I would have to purchase a separate third-party vendor’s online software to communicate in a HIPAA-compliant fashion. This involves an additional service agreement between the third-party and me, as well as monthly fees they can be expensive. This would grant me the right to not only communicate with patients but also to bill third-party insurance companies for providing such electronic health services. However, what may people do not appreciate is the small reimbursement allowance for such services, which is quite minimal. Thus, regardless of the demand by patients, it’s currently more financially lucrative simply to see another patient in the office for a follow-up visit rather than answer a message electronically. If an electronic medical record vendor builds secure patient messaging into their platform, when there is already a contractual arrangement between the doctor and EMR vendor, then a third-party cost would potentially become unnecessary. The prospect of using a built-in, HIPAA-compliant, secure messaging system suddenly becomes much more attractive and potentially fiscally responsible.

Unfortunately, many EMR systems are in still developing stages at which they do not yet have built-in secure messaging features in their PHR or personal health record modules.

But what a wonderful and potentially powerful area for future development in order to further promote patients to become more engaged in playing a more active role in their own health care. The ability of a patient to reach their doctor through the Internet is certainly an attractive feature if done right and seems potentially better than a patient spending five minutes on hold listening to elevator music only to finally speak to a front desk staff member who will only be able to forward a message, which may or may not be forwarded accurately.